The chief information officers of Texas and Florida said Wednesday that one of the greatest hurdles in improving cybersecurity across their states, including at the local level, is building up and maintaining trust with other agencies and levels of government.
But getting to that point of trust is also a matter of organization, which can be a challenge for young statewide agencies like the Florida Digital Service, James Grant, Florida’s CIO and head of the year-and-a-half-old agency, said during a virtual event convened by the Information Technology Industry Council.
“The biggest takeaway is validating trust if we’re going to make progress in the fight,” Grant said. “We’re the acting lead [on cybersecurity], but that doesn’t mean we’re efficiently organized in the state. Trust is at the forefront. Threat actors don’t care about divisions or branches of government.”
Florida Gov. Ron DeSantis named Grant, a former state lawmaker, in August 2020 to lead the Florida Digital Service, which was created in legislation — introduced by Grant — reorganizing the state’s IT governance for the fourth time in 15 years. Since then, though, the agency has struggled to retain key employees, even as it holds responsibility for Florida government’s cybersecurity and data governance.
And while Grant this month announced the hiring of a new chief information security officer in Jeremy Rodgers, a longtime IBM employee, his agency has also faced criticism that it had been slow to make use of about $30 million in cybersecurity funding appropriated last year by lawmakers in Tallahassee. But Grant also announced last week a new $15.9 million program for enterprise cybersecurity across 20 state agencies, which he described Wednesday as a first for Florida.
“Historically, Florida has never bought like an enterprise,” Grant said. “We’ve never had two agencies share telemetry data in the 25 year history of state technology.”
He also said that because the Florida Legislature had set aside the $30 million for cyber in a reserve fund, lawmakers had to approve how the Florida Digital Service used it.
Jealous of Texas
On matters of building trust between IT agencies and other parts of government, though, Texas is further ahead. State CIO Amanda Crawford said much of that growth was achieved through the response to a 2019 ransomware attack that took down systems in 23 local governments across the state, necessitating the Texas Department of Information Resources and other agencies to come in with assistance.
“Those are governments that are not on our state agency networks,” she said. “These were local governments that Texans interact with every day and they needed help.”
Crawford credited the response to Texas following an incident-response playbook that treated a cyberattack similar to other major disasters, like weather events, and having run drills like tabletop simulations. That approach, Crawford said, allows cyberattack victims to focus on mitigation and recovery rather than turf wars and recrimination.
“You need to be able to report and get back on your feet,” she said. “Get away from blame game. Except, of course, for blaming the bad guys.”
With an IT agency that’s less developed than Crawford’s DIR, Grant said Texas offers a possible model to follow as it builds out its cybersecurity program. He also said he’s trying to recruit personnel using a “tour-of-service” approach — in which professional technologists spend a few years inside government — though he conceded that talent can be harder to find in Tallahassee.
“As the son of a Texan and a lifelong Floridian, one thing I’m jealous of is Austin,” he said. “But I can give them access to an enterprisewide data model or threat hunting in an environment that’s the 14th- or 15th-largest economy in the world. We do have a blank canvas, but a lot of painting to do.”